[strongSwan] trying to get basic pubkey strongswan connection with certificates up and running

Cindy Moore ctmoore at cs.ucsd.edu
Sat Sep 13 16:17:46 CEST 2014 

Ah, thank  you for the Network Manager explanation.  I thought that
was very strange.  I didn't realize it didn't run with root
privileges.

As for the ipsec.conf file, it is fine.  It is the email client that
destroys how it is formatted when I send it out, so you guys can't see
how it looks but

root at vpn:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.1.2, Linux 3.13.0-35-generic, x86_64):
  uptime: 40 hours, since Sep 11 14:16:36 2014
  malloc: sbrk 2568192, mmap 0, used 416528, free 2151664
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0,
scheduled: 0
  loaded plugins: charon test-vectors ldap aes rc2 sha1 sha2 md4 md5
random nonce x509 revocation constraints pkcs1 pkcs7 pkcs8 pkcs12 pem
openssl xcbc cmac hk
Virtual IP pools (size/online/offline):
  xxx.xx.xxx.0/24: 254/0/0
Listening IP addresses:
  xxx.xxx.xxx.xxx
 (ipv6 address deleted)
Connections:
 roadwarrior:  xxx.xxx.xxx.xxx...%any  IKEv1/2
 roadwarrior:   local:  [vpn.example.com] uses public key authentication
 roadwarrior:    cert:  "C=CH, O=strongSwan, CN=vpn.example.com"
 roadwarrior:   remote: uses public key authentication
 roadwarrior:   child:  0.0.0.0/0 === dynamic TUNNEL
Security Associations (0 up, 0 connecting):
  none


Thanks,


On Sat, Sep 13, 2014 at 3:24 AM, Noel Kuntze <noel at familie-kuntze.de> wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hello Cindy,
>
> As network manager doesn't run as your user, you need to give
>  it access to the certificate and the private key in your home directory.
> You can do this by changing the group of those files to a group
> the network manager user is in and giving said group read
> access to the file and execute access down the path to said files.
>
> Yes, the error message indicates a configuration mismatch
> between the server and the client.
>
> I think you need to indent the section parameters with a tab for strongSwan to read them correctly.
> Check with "ipsec statusall", if it correctly read all the conn definitions.
>
> Mit freundlichen Grüßen/Regards,
> Noel Kuntze
>
> GPG Key ID: 0x63EC6658
> Fingerprint: 23CA BB60 2146 05E7 7278 6592 3839 298F 63EC 6658
> Am 13.09.2014 um 00:05 schrieb Cindy Moore:
>> Hi, I'm hoping I can get some tips or direction here, because I've
>> been banging my head on this for a while.
>>
>> I have strongswan 5 installed on ubuntu 14.04 with all the latest updates, etc:
>> root at vpn:/etc# ipsec version
>> Linux strongSwan U5.1.2/K3.13.0-35-generic
>>
>> This part seems to be functioning fine.  I've used the ipsec pki to
>> generate a vpn cacert, and then a couple of certs to test things with.
>> (For reference, I've included the steps I took to create those below,
>> along with my ipsec.conf)
>>
>> All I want is to set up a connection between two machines, both
>> running 14.04.  "vpn" is a server install, client is a desktop
>> install.  I've installed the network-manager-strongswan (version
>> 1.3.0-1ubuntu1) and restarted the network manager.  I've tried to
>> configure it as per
>> https://wiki.strongswan.org/projects/strongswan/wiki/NetworkManager
>> but there are already some differences in what's shown and what I get.
>>
>> Instead of Authentication, there is now Client, with Authentication
>> under that (and additional options depending on what is chosen for
>> Authentication.  The choices for Authentication are
>> Certificate/private key, Certificate/ssh-agent, Smartcard, EAP.  I
>> have questions about the ssh-agent, but I'll tabulate those for now.
>> Anyway, so when I choose Certificate/private key, I get two more
>> options below Authentication, which are Certificate and Private key.
>>
>> So for Gateway, I've got down vpn.example.com (name changed to protect
>> guilty of course :) )
>> and for Certificate, I have vpnHostCert.pem (see below).  For
>> Authentication, Certifcate/private key, for Certificate, moiCert.pem
>> (see below) and for private key moiKey.pem (see below). I've checked
>> the options to request an inner IP address, and to enforce udp
>> encapsulation, but have left the ip compression unchecked.
>>
>> Under the General and IPv4 settings, I've left the latter to the
>> deafult Automatic (VPN), for the former, I've tried both checking and
>> unchecking "all users may connect..."
>>
>> [NB: I find that I MUST have all .pem files set to 644 and any
>> directory along their path to 755 or else Network Manager stalls with
>> asking me for a password and the client's syslog contains "charon-nm:
>> 15[LIB] opening 'path/to/moiKey.pem' filed: Permission denied", which
>> strikes me as rather strange: to force a private key to be readable??
>> In this case client is a personal laptop so maybe not that bad, but
>> really?]
>>
>> In following the syslog output on the vpn host, I see:
>>
>> Sep 12 14:42:02 vpn charon: 04[CFG] looking for peer configs matching
>> xxx.xxx.xxx.xxx[C=CH, O=strongSwan, CN=vpn.example.com]...<client's
>> current IP addr>[C=CH, O=strongSwan, CN=moi]
>> Sep 12 14:42:02 vpn charon: 04[CFG] no matching peer config found
>>
>> so my guess is the conn roadwarrior (see below) isn't properly configured?
>>
>> I would appreciate any help... getting this configured has been a huge
>> headache.  Thanks.
>>
>> --------------
>> Background info/files:
>>
>> CAcert/key:
>>
>> $ cd /etc/ipsec.d/
>> $ ipsec pki --gen --type rsa --size 4096 \
>> --outform pem \
>>> private/strongswanKey.pem
>> $ chmod 600 private/strongswanKey.pem
>> $ ipsec pki --self --ca --lifetime 3650 \
>> --in private/strongswanKey.pem --type rsa \
>> --dn "C=CH, O=strongSwan, CN=strongSwan Root CA" \
>> --outform pem \
>>> cacerts/strongswanCert.pem
>>
>> vpnHostKey/Cert:
>>
>> $ cd /etc/ipsec.d/
>> $ ipsec pki --gen --type rsa --size 2048 \
>> --outform pem \
>>> private/vpnHostKey.pem
>> $ chmod 600 private/vpnHostKey.pem
>> $ ipsec pki --pub --in private/vpnHostKey.pem --type rsa | \
>> ipsec pki --issue --lifetime 730 \
>> --cacert cacerts/strongswanCert.pem \
>> --cakey private/strongswanKey.pem \
>> --dn "C=CH, O=strongSwan, CN=vpn.example.com" \
>> --san vpn.example.com \
>> --flag serverAuth --flag ikeIntermediate \
>> --outform pem > certs/vpnHostCert.pem
>>
>> Client cert/key:
>>
>> $ cd /etc/ipsec.d/
>> $ ipsec pki --gen --type rsa --size 2048 \
>> --outform pem \
>>> private/moiKey.pem
>> $ chmod 600 private/moiKey.pem
>> $ ipsec pki --pub --in private/moiKey.pem --type rsa | \
>> ipsec pki --issue --lifetime 730 \
>> --cacert cacerts/strongswanCert.pem \
>> --cakey private/strongswanKey.pem \
>> --dn "C=CH, O=strongSwan, CN=moi" \
>> --san moi \
>> --outform pem > certs/moiCert.pem
>>
>> ("moi" is just a standin for my personal uid)
>>
>> ipsec.conf (note that this email client is munging the tabs, but ipsec
>> reload is perfectly happy with this conf file's syntax)
>>
>> config setup
>> # uniqueids=never
>> charondebug="cfg 2, dmn 2, ike 2, net 2"
>>
>> conn %default
>> ikelifetime=60m
>> keylife=20m
>> rekeymargin=3m
>> keyingtries=1
>> #note iOS, Android, xauth-pam are all ikev1!
>> keyexchange=ike
>>
>> conn roadwarrior
>> #vpn server
>> left=xxx.xxx.xxx.xxx
>> #allow full tunneling
>> leftsubnet=0.0.0.0/0
>> right=%any
>> rightauth=pubkey
>> #assign ip addr from this pool
>> rightsourceip=xxx.xx.xx.0/24
>> auto=add
>> _______________________________________________
>> Users mailing list
>> Users at lists.strongswan.org
>> https://lists.strongswan.org/mailman/listinfo/users
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJUFBteAAoJEDg5KY9j7GZYY4MP/jXYWIpfdFq6X7+8+pFVN/ye
> HPUJvYWO+6T7EIo5surmiQQHQzfcdY6VjJySdtf5JxcH+56z7rgaOFgIXD8S5YKa
> MrbObYvLo40lw/MtPWxrU/t4OFTBCAo2YkVKe6IimDYVQ+D1d5wIeJKAm8iWJNKr
> GpEcHmlWbKrEfl2xkkZ2X3DgBKeKWHjjdbdRKXf7osBOAo9a4ASlYQUqqF83Vp6p
> UcZdaHypLJk4/O5ft5ucwoGg3mxRkYAZPyzINaiFDEiPbGxYAo4bzJ9MTYqVJVKV
> P6Z6mzQB/KVMrclVYoBN8P+INs4jOmCMc2XWa3lGFmvCIhLNaR1QS+zS0rRAQ5Mj
> 0E1P1ugiOHYxWTYmKZ5YAS4HysdenjQl7cIC6DUEUb8Eb3Jdiwz5gZ03sibTNkij
> rVIeup6kEListN1RH8skLylNZbAalqY5Ff8y5fo6T3lS20h8bGiLtyZ/hWNnWHH1
> phx/50sY6qFFSNnCKORJzNg6mk4+noUchSnGeTHAnO4pE/SwSOs8RRgCjH5Tm44u
> eZAT89U9LmYiTv5L7iMB2Wn09ecIgGA9ONDcYUqHtCW1glZIDD0x94PBoRM/3Jag
> VxEtW1YbPeCGS1wRJsHNz/+EikFFecbriZ4hI3gPL9Ni40TDXxUdljHSepCuKfrK
> dFzyQ/4Nz6y/G98tmD16
> =j3jf
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Users mailing list
> Users at lists.strongswan.org
> https://lists.strongswan.org/mailman/listinfo/users

More information about the Users mailing list